I recently got my pm3 setup (thanks, everyone). I hoping to try to clone a card I have.
auto command. I was not able to find any resources for this. Is this possible to do? I would be happy to run some commands if you need. Thanks for your help.
Cloning DESFire even possible?
Well Yes and No, but mostly No
There are no implants that you can clone it to…But you sort of can…kinda
So, here’s the abbreviated nutshell
Mifare DESFire has yet to be cracked
BUT you have a few options available to you
( I am assuming you want this DESFire access on an implant?
Here’s what I would try, in the order I would try:-
-
See the access administrators and ask if you could enroll an implant ( Simplified, and some social engineering may be required ) This implant MIGHT be possible to be another 7-byte implant, of which there are a few including the FlexDF2, xDF2, and FlexDF, First I would get a test card bundle and try them all out, that way you will know which implant, if any, are compatible.
The problem you may have is The DF EV2 you have, might have an applet written to the card. -
Get a conversion service done with your card (The turnaround time to this may vary. and the cost is around $200 BUT a guaranteed success)
-
Get a Mifare Compatible 4K Magic UID (7 Byte) – Changeable UID Card
LINK
(There are limitations to this, See the link for more info BUT the UID is changeable with your Proxmark ( follow link for command line), so if that is all the access system is checking you are golden) Then send THIS one off for conversion.
Any more questions, fire away
3 Likes
Thank you for your thorough response. I was actually just trying to clone the card onto another card. Would I be able to clone my original onto the Mifare Compatible 4K Magic UID (7 Byte) – Changeable UID Card? Are there any resources for this?
Yes buddy, All in the link…actually sorry that link doesn’t have the same info, The Lab401 link (below) has a bit more info that should explain it further.
Basically, as far as cloning DESFire goes, that’s probably the closest you will get.
So worth a try, but still not guaranteed
A cheaper option would be a 7byte Mifare classic card, but less likely to work
How would I go about cloning the card? What command is equivalent to hf mf chk that will work for this card? Do I dump the contents of my card to a dump file and then upload that those the cards you just linked? This is the first card I have attempted to clone and I have only found resources for mifire classic cards. Thanks for all your help.
You aren’t realy able to clone as such, you are hoping that the system you are wanting to use it on is ONLY looking for the UID.
So on the DESFire Modifiable card, this is the command you would send
hf 14a raw -s -c 02 00 ab 00 00 07 xx xx xx xx xx xx xx
Where xx xx xx xx xx xx xx is your target UID.
That’s your basic UID change, and that MIGHT be all you need.
HOWEVER
I don’t want to dive too deep, just know there are another couple of factors that COULD be of importance.
The ATS / ATQA on the card are fixed (you cant modify these)
06 75 77 81 02 80 02 F0
But it is the same as your screen shot above
The SAK values can be modified, but not by you, so If you needed this to be changes, you would request that when you order the card.
I’m not sure of the default SAK values of the Modifiable card and I am away from mine at the moment to check, so I’ll do that for you later.
I hope that makes sense, I don’t want to overwhelm you.
but feel free to ask more questions
not to mention that the magic desfire cards don’t actually (to my knowledge) support any secure applications… they just appear to be a desfire card to a reader that doesn’t do any deep digging or use any of the secure features of the desfire… which is highly unlikely since the whole point of supporting desfire cards is to use the secure features… and the desfire chips are 10x more expensive than cheap insecure 125khz LF chips… so if the company is paying to use desfire, then it’s pretty much a guarantee they are going to be using the secure features of the desfire… why else pay 10x to make cards and fobs for the system if they don’t?
Any other vendors for those emulator cards to change the Sak . Buy in a bulk for discount ? lab401 expensive.
thank you!
i found my proxmark was able to autopwn this and then i did a dump. but i assume i need a desfire emmulator card?
or how would i go about making a spare for my fob.
UID: 5A 3A 7B 48
[+] ATQA: 00 04
[+] SAK: 08 [2]
[+] Possible types:
[+] MIFARE Classic 1K
[=] proprietary non iso14443-4 card found, RATS not supported
[+] Prng detection: hard
[=]
[=] — Tag Signature
[=] IC signature public key name: NXP Mifare Classic MFC1C14_x
[=] IC signature public key value: 044F6D3F294DEA5737F0F46FFEE88A356EED95695DD7E0C27A591E6F6F65962BAF
[=] Elliptic curve parameters: NID_secp128r1
[=] TAG IC Signature: 42E55BE4AAE24280701F60B345DAC63F3BDB3DD1683AFCCDB1D23CF0D702F5F5
[+] Signature verification: successful
[?] Hint: try hf mf commands
We have some yet to be released DESFire emulator cards ( 4&7 byte) which you can change the UID but also SAK, ATQA and ATS.
If of interest, I can get these fast tracked to our store
MIFARE DESFire EV2 credentials cannot be cloned . Even using a supercomputer, it would take 1 billion billion years to crack an AES128-bit key using brute force methods (3). Naturally, cards embedded with this level of security are more expensive than the low frequency alternatives.
This is why I don’t think magic desfire cards are worth it. If any application is going to go through the expense of deploying a desfire card, they are for sure going to utilize its security features and put a secure file or two on the card, and use those secure files on the card for securing their application.
Furthermore, magic desfire chips only emulate the ISO14443A protocol features of the desfire, not it’s secure file capabilities.
So, even if you could crack a desfire chip, the only way you could utilize a magic desfire chip is if the application only checked the UID or other basic iso14443a protocol data elements and did not use any secure files on the chip.
To me it seems pointless?